c-icap fail after update to 23.7.8

Started by rac-hh, November 09, 2023, 04:59:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2023, 04:59:05 PM
There is an update in 23.7.8 to c-icap 0.5.11.

Starting in debug mode:  c-icap -f //usr/local/etc/c-icap/c-icap.conf -N -D -d 9
...
Adding to acl AUTH the data *
In search specs list 0x0,name AUTH
New ACL with name:AUTH and  ACL Type: auth
Creating new access entry as allow with specs:
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
In search specs list 0x829c62480,name AUTH
Checking name:AUTH with specname AUTH
        Added acl spec: AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
In search specs list 0x829c62480,name 127.0.0.1
Checking name:127.0.0.1 with specname AUTH
The acl spec 127.0.0.1 does not exists!
The required acl spec '127.0.0.1' is missing
Fatal error while parsing config file: "//usr/local/etc/c-icap/c-icap.conf" line: 18
The line is: icap_access allow AUTH 127.0.0.1
...

With the mentioned line commented out the service starts.
"127.0.0.1" is not from configuration GUI - so this line is from standard config.


November 09, 2023, 08:37:10 PM #1
similar after updating my opnsense. c-icap wont start again
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:

AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance

private user, no business use
November 10, 2023, 08:45:38 AM #2 Last Edit: November 10, 2023, 08:49:42 AM by chatmate
I met the same problem after update.
I tried to comment out the line containing "icap_access" like below, the same as rac-hh mentioned, and it works on my system.

Code Select
#icap_access allow AUTH 127.0.0.1

I think it could be a workaround until the fix becomes available.
November 10, 2023, 11:05:31 AM #3
Here the same problem.

Only can't open c-icap.conf file for workaround: Error opening/parsing config file is spitting @ me.
November 10, 2023, 11:52:21 AM #4 Last Edit: November 10, 2023, 12:40:01 PM by chatmate
Additional information.

I'm not good at English, so I read the logs roughly earlier, but after carefully reading the logs shared by @rac-hh, it seems that the ACL AUTH is defined correctly, but the ACL definition of 127.0.0.1 does not exist.

After defining a new ACL with server ip address attribute and specifying 127.0.0.1 as the IP address value, I was able to start the c-icap service without any error, and I was able to activate the c-icap connection in squid without any problem.

Code Select

#icap_access allow AUTH 127.0.0.1
acl localserver srvip 127.0.0.1   
icap_access allow AUTH localserver

I think it is probably a bug in c-icap 0.5.11 rather than a problem with opnsense. I don't know when c-icap was updated in my environment, but when opnsense was updated, c-icap might be updated at the same time. The latest version of c-icap, c-icap 0.5.11, was released on September 27, 2023, and c-icap-modules-0.5.6 was released on October 2, 2023.
November 13, 2023, 09:59:06 AM #5
November 13, 2023, 10:29:21 AM #6
There is a [pull request](https://github.com/opnsense/plugins/pull/3667) using the solution from @chatmate
Print
Go Up Pages1
User actions